Passwords are the primary tool used to secure accounts from unauthorized access. In many systems they are the least secure of all the elements. While people try to be original and even clever (“secret”, “trustno1” or “letmein”), studies have shown that we frequently pick the same passwords as other people. A hacker armed with a list of common passwords might easily get into your account.

Some of the most common passwords are first names, favorite brands (such as cars), sports teams, hobbies, popular characters, keyboard patterns and words with sexual meanings.

Best Practices

Writing down passwords

This topic has different viewpoints. Experts used to advise to always memorize a password on the grounds that a written password might be discovered. However, if a user must memorize a password, they will tend to choose less secure passwords. While putting a password on a sticky note on the bottom of the keyboard is a bad idea for things that should be secured from co-workers or family members, it's unlikely a hacker working in another city would ever find it. If it is written down, it must be secured and not just hidden.

Use different passwords for different accounts

Unknown to you, a website you use may have been compromised and the passwords stolen. They could then be used at other sites. Make sure your passwords are not just different, but significantly different. Predictability may be your downfall.

Password Length

Generally, longer passwords are considered more secure than shorter ones. But this is only true up to a point. “Password” is the second most common selection, but “was” is not even in the top 500.

How secure should you make it?

Some accounts are not critical and a hacked account is little more than an inconvenience. A strong or difficult to type password is unnecessary. Other accounts such as on-line banking should have a strong password. Since email is frequently used to reset passwords, your email should be at least as strong as the most important account that uses it. Otherwise a hacker who gets into your email account is likely to find clues as to what other accounts you have and use your compromised account to reset those passwords.

How often should you change your password?

Clearly it should be changed if you suspect that it may have been compromised or you no longer feel secure about that computer you last used. However changing it too often may create more problems than it solves and may lead to predictable patterns.

Sharing passwords

Don't let your children fall for the old “friends share secrets” trick. Friends who want to know your password aren't really your friend. Never share your password with someone who calls you. One method hackers use is “social engineering” where they impersonate someone and con you into sharing your password with them.

Types of passwords

Keyboard patterns

Using simple patterns such as “qwerty” (8th most common password) , “7777777” or “qazwsx” is a poor practice and insecure as it's too common.

Single word

It is prone to a “dictionary attack” where a hacker literally goes down the dictionary trying each word until he succeeds, providing you haven't accidentally picked a password from the list of 500 most common.

A word with a number or punctuation

This significantly increases the security of a password as long as the word and the number are unrelated. “ncc1701” or “bond007” are both found in the top 500 passwords.

Obfuscation (Hacker spelling)

Altering a word though unusual capitalization (“paSSWord”), adding letters (“masterr”), or substituting letters with numbers (“footba11”) or punctuation (“must@ng”). Used in combination, this should be adequate for most casual uses. Since most alterations are predictable, it may fall under a more elaborate dictionary attack.

Two (or more) unrelated words

Separating two words with a number or punctuation greatly complicates the effort needed by a hacker while making it only slightly harder to remember. Even if the two words are common, the two of them together can literally make it one in a million. However, the two words must be unrelated. For example, “fun4me” would be a poor choice, but “fish%maple” would be a good one.

Pass Phrase

Use a memorized phrase to create a seemingly random string. For example, “INephi, having been born of goodly parents...” could become “INhbbogp”. Add in the scripture reference and it could become “1:1INhbbogp” While it's a good method to create a “word” not found in the dictionary, there could be some concern if the phrase chosen is too common.

Random

A password generator can be used to create a totally random string of letters, numbers and punctuation. This is frequently considered the most secure option. But it is difficult to remember and can be difficult to type making it easier to observe. Some argue that stringing together more words is faster to type, easier to memorize, and just as secure.